I have a running amazon ec2 linux instance associated with a keypair (p1) and I have downloaded the private key to my home desktop. Now at work, I created a keypair (p2) on my work desktop and imported the public key to Amazon via the AWS console.

At home, I want to add the public key of keypair p2 to be added to authorized_keys of my AMI instance (which I can currently access only from home).
However, I forgot to bring the public key of p2 with me, so is it possible to somehow export this public key from Amazon.

4 Answers
4

Start a new, temporary EBS boot t1.micro instance A, specifying keypair p2. Specify an availability zone where you have another instance B already running and to which you have access. (Start a temporary one if needed).

Stop (not terminate) the instance A after it has been in the running state for a few minutes, so it has a chance to save the public key to its authorized_keys file.

Detach the root EBS volume from the stopped instance A. Attach and mount it to your running instance B.

Not sure how this actually solves the original question... it is definitely one way to deal with AWS EC2 instances if and only if you're using EBS-backed instances.
–
Jeremy BouseDec 19 '11 at 22:08

You don't have to be using EBS boot instances except for the one time you run the temporary instance to get the public key off of it. All you want to do is get the public key which this approach does.
–
Eric HammondDec 19 '11 at 22:18

If you have the private key you can regenerate the public key without going through such measures.
–
Jeremy BouseDec 20 '11 at 2:06

2

Jeremy: Based on the original question, the private key is back at his office where he cannot get it. And once he gets back to the office, he can't get in to the EC2 instance because it does not have the public key for that office private key. That's why he wants to get the public key from Amazon, and the only way to do that is to start an instance with that public key. Then you have to get the public key off of that instance which is the tricky part.
–
Eric HammondDec 20 '11 at 3:50

wow! lot of work to get the public key. It would have been easier for Amazon to put an "Export public key" option.
–
Jus12Dec 20 '11 at 9:28

If you have the private SSH key you can re-generate the public key component simply by running the following ssh-keygen command:

ssh-keygen -i -f /path/to/private-key > /path/to/public-key

That much is the simple part... The AWS console and API does not support pushing 2 keypairs when starting an EC2 instance. This is an exercise left for the system administrator to do through other means.

If you have access to the identity key already authorized you could simply perform the following ssh-copy-id command:

ssh-copy-id -i /path/to/public-key user@EC2-instance

This will copy the given public key to the server and into the ~user/.ssh/authorized_keys file automatically for you and ensure proper permissions on the file.

The more elegant way would be to include the additional identity keys in your configuration management processes. In my case this entails adding the additional keys to the Puppet configuration for the node.

As a side note, personal preference but would would utilize a better SSH key management method than simply having to include separate keys for work and home location. As I mentioned in a previous question I maintain my keys on a USB drive that I keep with me rather than on any computer I utilize.

I already provided one answer which uses EBS volumes to get at the ssh public key, but here's another way you can get at it by starting a temporary EC2 instance with a user-data script that sends the public key to the console output. Here are the steps:

Save the following code to a file named output-ssh-key.userdata on your local computer. DO NOT RUN THESE COMMANDS LOCALLY!

The temporary instance will automatically terminate itself in under an hour, but you can terminate it yourself if you'd like to make sure that you aren't charged more than the two cents this will cost to run.